{do flatlanders dream of n-dimensional shapes?}

Exchanging Data Between Chrome and Content

Scenario: a chrome and a content application are aware of their respective existence and wish to communicate. Communication should be able to flow both ways.

One possibility for chrome→content communication is for chrome to invoke Javascript functions defined in content. However, this would only work for DOM objects and properties (and for good reason), unless XPCNativeWrappers are disabled.

One possibility for chrome←content communication is for content to ask the user to grant it expanded privileges and then invoke chrome functions by itself. This opens a door much wider than necessary, increases the coupling between the remote and the local side, and nags the user.

Another possibility is described here.

Let there be two invisible <div> elements in content: <div id="for-chrome"> and <div id="for-content">.

Code living in content writes what it wants to be sent to chrome into <div id="for-chrome">; code living in chrome writes what it wants to be sent to content to <div id="for-content">; both register event listeners that tell them when the <div> they’re interested in gets new data.

Where will one want this? Probably, in scenarios where the chrome application is expecting data from the content application that could come at any time, not just as a result of a chrome-initiated query, and one doesn’t want to sign scripts or nag users with requests for extra content privileges. The communication channel is still opt-in, although it’s the chrome code (which is trusted already) that opens it by registering the event listener, and it’s a much narrower channel with regard to security: an attacker would have to get hold of the content application and to craft data specific to the chrome-content protocol and the chrome code handling the protocol would have to contain security holes in the first place.